We'll be right back.
We'll be right back.
We'll be right back.
We'll be right back.
As I was getting off the plane to come here from the general council of the institution that I work for,
incidentally the NDA says that I cannot disclose who I work for, ironically,
saying that the waiver of my NDA had been rescinded
and that I wasn't going to be able to tell you anything about the kiosk packages that I was supposed to be presenting here.
So I've been up.
Since Thursday at 9 o'clock in the morning.
So if I'm a little bit sluggish or if I mismatch terms or if I make absolutely no sense whatsoever, please forgive me.
Thank you.
All right.
Okay.
The primary sources for a lot of the conclusions that I'm drawing in this speech come from five years of help desk experience
dealing with users of all intelligence and experience levels.
And six months of dedicated standard usability testing
of ideas that me and my fellow developers came up with for a shell replacement kiosk development package.
First question.
Who is the bigger threat to your IT department?
Trust me, it gets worse.
The elite hacksaw.
He knows where you live.
He knows header files.
Yes, he is elite.
He cried when attrition.org stopped updating their defacement mirror.
And he has never used plain English when communicating with any of his friends.
Even over the telephone, believe it or not.
And now we have Ms. I think my computer hates me.
I told you it got worse.
She's a frequent listener.
She's a frequent visitor to buddyicons.com.
She has a system tray in Windows NT longer than her hair.
She actually thought Clippy was sexually harassing her the first time that he came up.
You know, he's all cute.
You know, he popped up, had that little wink, you know.
And ironically was recently promoted from billing to help desk supervisor.
This is my life.
The fact of the matter is that they're both a threat.
I was actually supposed to ask which one of you thought was more of a threat, but screw it.
They're both a threat.
The fact of the matter is that all users are only humans.
Humans are fallible beings.
Humans have reactions to stimuli that regardless of how simple or how complex or how threatening that stimuli,
their reactions to it are often guided by instincts and limited information, prejudices that they come to pretty quickly.
And as humans, they're prone to follow behavior patterns that they're familiar with.
Once they get into a set established pattern, they're more set to regress right back to that than to try something new or then to grow.
I mean, we're only human.
We all do that.
Poor interface design puts the user in position to compromise systems indirectly.
By either screwing up their security settings or by being deceived by someone who's trying to intrude the system through the user.
First I wanted to talk about, well first I have basically two big items that I wanted to hit on.
Users are often betrayed in security by their own sense of paranoia or by their own comfort level and comfort zone.
Probably the most disturbing.
I mean, I'm not saying that every single thing are pop-up events that happen such as this.
In any kind of usability testing, we've always found that these kind of pop-up events, regardless of how benign,
regardless of how simple or how complex they are, are usually the single most jarring thing for a user.
That even though it's a course of daily life in virtually every interface, it's still jarring for users to be presented from their plane of vision
into something that just pops up right in front of them.
I mean, it's a natural instinct.
If you're just sitting there and someone pops up right in front of you, you're going to be scared.
Humans, while they don't have the same reaction to pop-up windows because they're more used to it,
are still on a subconscious level threatened and heightened into a slight state of alert by pop-up messages.
Another common thing that we found was no exit opportunity events.
You know, when a page has poor code and your poor browser's trying to debug it,
you have to go through screen after screen after screen after screen after screen after screen of these standard little pop-up messages.
There are a lot of other type of no exit opportunity events, things such as bombardments.
You know, when you type one key wrong, when you're entering in the URL, boom.
You know, you pop up and you're suddenly bombarded with 50 windows and things like that.
The other thing that is exploited or that can be used to exploit users through their own paranoia
are confusing security levels and inappropriate metaphors for security settings.
Clustering security that should not be clustered and all of this causes frustration
that leads to exploitable user paranoia through no fault of the user's own directly,
even though the user more often than not is stupid.
Of course, this being DEF CON, I have to diss on Windows.
And I mean legitimately, the security options, internet settings in all of the
new Windows flavors are extraordinarily complex.
They are far, far, far beyond most people's knowledge about system security.
Even if you, you know, know general basic security user paradigms,
if you're an educated user, a lot of the options presented in these menus
can be very confusing and can be threatening.
The other really big disadvantage to what Windows does is that it sets supposedly custom security levels.
You know, high, medium.
Low and, you know, completely fucked.
I'll take questions at the end if that's all right.
It's a very, very poor security model.
And more often than not, users have different needs.
Users need to access different sites.
Users need to use the internet in many different ways.
And they need to set up different security paradigms for what they're going to be doing.
And this is one way, just by confusion, that the user becomes paranoid.
And it creates a weakness in the system that's user-based.
Of course, and the most obvious one is, I think I lost my place here, I'm sorry.
Right, just going back to what I was saying.
Paranoid users will often interpret security information incorrectly.
And revert to insecure behavior because they draw analogies out of network technologies from things in real life.
One actually somewhat common one in the environment that I was working with were professors who were under the impression.
Well, professors were under the somewhat correct impression that digital cell phones are usually less prone to casual eavesdropping than party lines, than PBXs, than, you know, things in your office.
You're probably, if you want to make a private call, you're probably better off taking your cell phone outside than risking someone else in the house picking up the phone, casually eavesdropping it, or having the line tapped, things like that.
We've all heard those stories.
So these professors think that because digital cell phones are more secure than generally wired phones, they think that wireless networks, of course, have to be more secure than wired networks.
I mean, I'm not kidding.
People actually think this.
And that's one way that user paranoia can be exploited by drawing and reaffirming incorrect analogies such as that.
Paranoid users, like I said, will also seek familiar escape routes out of visual or oral bombardment.
When they're presented with a lot of pop-up windows like that, if you can design interfaces that exploit the user's own patterns and own tendencies to try to escape those things, you can, of course, implant trojans.
You can penetrate security.
You can get to things that you're not supposed to be getting to.
And, of course, you're going to get to them because the user is trying to escape.
They're not trying to keep their system secure.
They're not trying to understand what's going on.
They're just simply trying to get out.
And you can install a lot of things by presenting another bombardment and leaving nice little simple okay, okay, okay, okay, okay, okay, okay.
And, you know, just install a whole host of stuff through a visual bombardment like that.
Paranoid users, ironically, in what we found in some of our usability testing, are prompted to shut off security warnings.
And, of course, being paranoid users, they fail to follow up on passive security indicators.
They think that simply because there's nothing telling them that something's wrong.
I mean, they remember that they shut off some things, but they still expect the computer to tell them if something's gravely wrong.
And, of course, the computer's not going to tell them that there's anything gravely wrong because the computer's a computer.
You told it not to do something.
Odds are it's not going to do something.
And so that's another way that a user's own paranoia can be used to betray them to compromise security.
And also paranoid users, like I said before, trust security.
Familiar visual clues.
Another common way of exploiting things is just by saying, you know, install this free security update or you need this security update or you need X, Y, or Z.
If you can present an interface that's familiar enough to them, that's another way that you can compromise user security.
Of course, the flip side of that is exploiting the user through user comfort and sources of false positive information.
One quick example.
Another example of this is relying on the preponderance of visual cues.
Security alerts like these are kind of, you know, half and half more often than not, yeah, it's fine.
That, you know, Microsoft for some reason has decided not to list that issue of security certificates.
But the way that the average user reads this is very similar to the way that the average user will read a newspaper or will read a magazine.
The first thing that they'll see is that big icon that's on top of the big white space towards the left.
That's the first thing that draws their eye in.
That sets the user into a state of panic.
You know, it's yellow, it's a warning there.
And then the average user will go down there and the iconography will register in the user's conscious before they read any text.
They'll see, you know, okay, there's a smaller warning icon there.
But oh wait, my eye is drifting down below.
After that initial smaller warning, I see two green things.
So everything must be okay.
You know, even if the user does read the text,
and even if the user is not confused by the text,
odds are just because of the way that the iconography there is laid out,
the user is more apt on a subconscious level to just say okay,
especially with the line at the bottom saying, do you want to proceed?
Of course, the user is trying to do something.
This is just another hindrance.
Oh, it's trying to tell me something.
Oh, but okay, I guess it's okay as they read down.
And even though the default option on that window is no,
more often than not, even with educated users, they're going to click yes.
And like I said before, comfortable users,
people who have a certain comfort zone about things,
will follow patterns of usage that are routine or are diversionary.
You know, one of the most common ways that users can be exploited
by their own sense of routine or familiarity is through friends and family viruses
and email and things like that.
You know, Melissa, I love you and stuff like that.
And actually, there's one particularly nasty friend zone
or friends and family virus that actually employs no code.
It's actually a hoax.
It's basically a message that people forward to each other just like,
you know, the good times virus and things like that,
only this one implores the user to take action to find a specific file.
In this case, it was a file that was a utility that restores long file names in Windows.
And the host, you know, the hoax, I'm sorry,
used that system of trust networks that people have
in forwards and in email.
And it's, you know, extraordinarily common,
a very common behavior pattern on the net
to exploit the more comfortable user.
Ironically, this kind of behavior also works on the more paranoid user
because when you present a paranoid user with any kind of warning
and at the same time present the user with a call to action,
more often than not, the paranoid user is going to immediately
flow to that call to action regardless of what it is
because that's what they think the best course of action is right there.
It's just like,
you know, when somebody says,
oh my god, oh my god, he has a gun,
what's your first course of action?
Duck.
You know.
Regardless of where the gun is,
the first thing that you're told
or the first thing that you've seen other people do
that you've seen in movies is the first thing you're going to do.
The first thing that you're presented with in an email like that
is odds are what you're going to do.
And of course, another very common thing in help desks
with lots of secretaries who like cute things
are cute little Trojan applications.
These are lovely.
I mean, let's go back to Ms. I think my computer hates me.
Okay, she has tons and tons and tons of these cute little applications.
That occasion will have, you know, a little nasty Trojan
that will wipe out her computer and every computer on her subnet
and all these things like that,
and then of course we have to deal with it.
I'm not bitter.
So, because I don't have the kiosk package to present to you,
I'm just going to jump right into the five points that I'm presenting.
That I believe can both not only increase the security of the interface,
but also increase the usability of the interface.
The first precept that I'm going to present here
is actively using intelligent agents,
things that are similar to IDS,
in the background to predict user behavior,
to record user behavior,
to route around problems,
and to automatically readjust security parameters
based on what the user does and does not do.
One of the things that I'm going to present here
is one of the first things,
or one of the first sub-points of this precept,
is avoiding intelligent agents in the foreground.
You know, let's go back to pop-up menus and things like that.
Users hate that.
Even though, honestly,
even though I made a joke about this initially,
in one help desk job that I was working at,
there was actually a secretary
who went through
and actually made it through
the whole way of
the sexual harassment
standard procedures
complaint thing
because of Clippy.
Of course, it ended at the help desk,
and it ended up trouble ticket,
and of course,
the nicest, most sympathetic guy
who was working at the help desk
had to calm her down
because she was so traumatized
by this little paperclip
that appeared in the lower right-hand corner of her screen
and winked at her.
Honestly, these people have nothing better to do.
And of course,
the best thing that
you can do is predict and adapt
to suspicious behavior.
I actually got clearance to tell you
one of the things that we were going to implement
in the kiosk system
that we never actually ended up implementing.
The bombardment attack,
like I was pointing out earlier,
pop-up windows and things like that,
what we were trying to do was map
that behavior pattern.
And before those windows got a chance to propagate
all over the workspace,
what we wanted our kiosk application to do
was to automatically dock all of them
at the bottom.
And then after all of the pop-up windows,
had come to the surface,
and they were docked at the bottom,
what we wanted to do
was write an intelligent agent
that would figure out
if any of those boxes
were actually needed
to gain further access to the site.
And then of course,
give the user the option
of either browsing through
all those pop-up windows
to find what they wanted,
or more often than not,
the user just simply wanted
to get rid of them.
And that's the kind of things
that we can do
with intelligent agents now.
I mean, we didn't end up implementing that,
but we were a small development team.
It's not at all,
in any way, shape, or form,
beyond the scope
of any kind of professional development team,
to develop intelligent agents
to predict
that kind of common jarring behavior
that leads to insecurity for users
on the internet
and route around that.
The second point
actually comes from a paper
that was presented
in a journal of the
Association for Computing Machinery.
The paper's called
The Anti-Mac Interface.
And one of the big points they made
was don't hand controls to the user
when they're working
and they're not in a position
to be in control.
It's okay to have
the little five-year-old
come into the cockpit
and see everything like that.
It's okay even for an older person
interested in aviation
to hold the controls of a plane
for a second like that.
But you don't want Joe Novice
on the street
flying your flight out of L.A.
to wherever you're going.
You want an experienced pilot
who knows exactly what they're doing
flying that plane.
And it's the same sort of thing
for users.
You don't want to give them controls
when far and away they're not
qualified to handle
the kind of responsibility
that that control invests in them.
Second point in that is
don't give the user
any information they can't use.
If you have an intelligent agent
application system set up beforehand,
what you really want to do
is to try to send this information
into some kind of log file,
into a place where it can be examined,
send it to network administrators
if you're running a series of kiosks,
or at least bury the information
in some kind of log
where you don't give the user
the opportunity
to act on any of that information.
Where they can look at it,
they can see it,
and if they know exactly
what they're doing,
they can fix and predict
and adapt to that behavior,
but you don't give them
a dialogue box of the choice
yes, no, or cancel.
This actually leads to
another one of my funny
little help desk stories.
Our network admin changed
all of our keys for SSH
on all of our login pool servers.
And unfortunately,
he forgot to send out
the customary email
the week before saying,
oh, hi, the keys have changed.
You know, your SSH clients
are going to say
your keys have changed to this.
Just click yes
and continue going on
and on and on.
So this came up
all over in our department.
We got a couple of calls about it.
And when we were looking
at the servers later,
we found that a lot of users
who we had told to use SSH
because it was more secure
would look at this and panic
and think, oh, my God, oh, my God,
SSH is, you know, insecure.
And what would they do?
They would open up Telnet.
And like I said before,
because that's a familiar
behavior pattern to them.
You know, because we said
SSH was more secure,
it didn't necessarily register
in the user's mind
that Telnet was insecure.
And that's what they had used
before SSH,
so that's immediately
what they went back to
when they perceived SSH
to be compromised.
And of course it wasn't,
but in any case.
And the last or
second to last precept of this
is, uh,
in kiosk and office applications,
the interface should not accept
new software from the user.
Of course, this is most often
in commercial applications
not possible,
but in office applications
and in places where you can
restrict things like that,
where you do have a cohesive policy
that says, you know,
don't download cute little sheep,
this is the more active course,
this is the better course
of action to do.
And you can have kiosks out there
that know exactly
what software they may need
in situations,
reprogram them occasionally
and say, okay,
new software is coming out,
you can download this
and not have to take up
so much room on the kiosks
if, you know,
you don't have that room.
But the trade-off to this
is that,
and this is the, again,
enabling usability point,
afford conveniences to the user
that make them feel in control.
Give them more powerful controls
than they have now
to manipulate the objects
that they need to manipulate
in their environment,
but don't give them
the tools to manipulate
the environment itself.
You know, what makes you feel
like you have more control
over a car?
You know, a responsive stick,
responsive steering,
responsive gas and brake pedals,
or the ability to reroute
the oil into the gas
if you need to.
You know.
I mean, control about,
I mean, when you're using
the car analogy,
control about a car
is all about how you use it
to get the work
you need done, done.
And if it's responsive
and if it's active
and if it's using the agents
that, you know,
we're trying to describe
and we're trying to develop,
then it will actually become
more usable
and at the same time
more secure.
And the other thing is
please don't build your interfaces
like brick houses.
Make it as modular as you want,
but be sure that the bricks
don't fall out too easily.
I'm sure that anybody
who's written a lot of papers in Word
has at one point or another
accidentally dragged the menu bar
out of where it's supposed to be.
And as in another paper I quoted,
there is absolutely no reason
that the user,
